Verification of Multi-Agent Properties in Electronic Voting: A Case Study

Formal verification of multi-agent systems is hard, both theoretically and in practice. In particular, studies that use a single verification technique typically show limited efficiency, and allow to verify only toy examples. Here, we propose some new techniques and combine them with several recently developed ones to see what progress can be achieved for a real-life scenario. Namely, we use fixpoint approximation, domination-based strategy search, partial order reduction, and parallelization to verify heterogeneous scalable models of the Selene e-voting protocol. The experimental results show that the combination allows to verify requirements for much more sophisticated models than previously

Electronic Voting Technology Inspired Interactive Teaching and Learning Pedagogy and Curriculum Development for Cybersecurity Education

Cybersecurity is becoming increasingly important to individuals and society alike. However, due to its theoretical and practical complexity, keeping students interested in the foundations of cybersecurity is a challenge. One way to excite such interest is to tie it to current events, for example elections. Elections are important to both individuals and society, and typically dominate much of the news before and during the election. We are developing a curriculum based on elections and, in particular, an electronic voting protocol. Basing the curriculum on an electronic voting framework allows one to teach critical cybersecurity concepts such as authentication, privacy, secrecy, access control, encryption, and the role of non-technical factors such as policies and laws in cybersecurity, which must include societal and human factors. Student-centered interactions and projects allow them to apply the concepts, thereby reinforcing their learning

Proving Coercion-Resistance of Scantegrity II

By now, many voting protocols have been proposed that, among others, are designed to achieve coercion-resistance, i.e., resistance to vote buying and voter coercion. Scantegrity II is among the most prominent and successful such protocols in that it has been used in several elections. However, almost none of the modern voting protocols used in practice, including Scantegrity II, has undergone a rigorous cryptographic analysis. In this paper, we prove that Scantegrity II enjoys an optimal level of coercion-resistance, i.e., the same level of coercion-resistance as an ideal voting protocol (which merely reveals the outcome of the election), except for so-called forced abstention attacks. This result is obtained under the (necessary) assumption that the workstation used in the protocol is honest. Our analysis is based on a rigorous cryptographic definition of coercion-resistance we recently proposed. We argue that this definition is in fact the only existing cryptographic definition of coercion-resistance suitable for analyzing Scantegrity II. Our case study should encourage and facilitate rigorous cryptographic analysis of coercion-resistance also for other voting protocols used in practice

Electronic Voting over the Internet - A real-world solution

Multicert develops an Internet voting solution called Certvote for over a decade. The system has been included in the pilot experiment for electronic elections in Portugal, at the beginning of the millennium, and has been updated and developed until this date. The dissertation will have the student analyse this system and characterize it relative to the state of the art. Namely, following objectives are underway: 1) Investigation of the state of the art for electronic voting systems in the scientific literature; 2) Detailed characterization of Certvote with the aid of Multicert?s development team; 3) Comparison of Certvote and relevant alternative solutions both in terms of specific scenarios it should work under and of security requirements or trust models it offers; 4) Proposition of changes to improve Certvote according to the obtained results

BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme

International audienceWe propose a new voting scheme, BeleniosRF, that offers both receipt-freeness and end-to-end verifiability. It is receipt-free in a strong sense, meaning that even dishonest voters cannot prove how they voted. We provide a game-based definition of receipt-freeness for voting protocols with non-interactive ballot casting, which we name strong receipt-freeness (sRF). To our knowledge, sRF is the first game-based definition of receipt-freeness in the literature, and it has the merit of being particularly concise and simple. Built upon the Helios protocol, BeleniosRF inherits its simplicity and does not require any anti-coercion strategy from the voters. We implement BeleniosRF and show its feasibility on a number of platforms, including desktop computers and smartphones

VoteBox Nano: A smaller, stronger FPGA-based voting machine

This thesis describes a minimal implementation of a cryptographically secure direct recording electronic (DRE) voting system, built with a low-cost Xilinx FPGA board. Our system, called VoteBox Nano, follows the same design principles as the VoteBox, a full-featured electronic voting system. The votes are encrypted using El-gamal homomorphic encryption and the correctness of the system can be challenged by real voters during an ongoing election. In order to fit within the limits of a minimal FPGA, VoteBox Nano eliminates VoteBox's sophisticated network replication mechanism and full-color bitmap graphics system. In return, VoteBox Nano runs without any operating or language runtime system and interacts with the voter using simple character graphics, radically shrinking the implementation complexity. VoteBox Nano also integrates a true random number generator (TRNG), providing improved security. In order to deter hardware tampering, we used FPGA's native JTAG interface coupled with TRNG. At boot-time, the proper FPGA configuration displays a random number on the built-in display. Any interaction with the JTAG interface will change this random number, allowing the poll workers to detect election-day tampering, simply by observing whether the number has changed

Ballot secrecy: Security definition, sufficient conditions, and analysis of Helios

We propose a definition of ballot secrecy as an indistinguishability game in the computational model of cryptography. Our definition improves upon earlier definitions to ensure ballot secrecy is preserved in the presence of an adversary that controls ballot collection. We also propose a definition of ballot independence as an adaptation of an indistinguishability game for asymmetric encryption. We prove relations between our definitions. In particular, we prove ballot independence is sufficient for ballot secrecy in voting systems with zero-knowledge tallying proofs. Moreover, we prove that building systems from non-malleable asymmetric encryption schemes suffices for ballot secrecy, thereby eliminating the expense of ballot-secrecy proofs for a class of encryption-based voting systems. We demonstrate applicability of our results by analysing the Helios voting system and its mixnet variant. Our analysis reveals that Helios does not satisfy ballot secrecy in the presence of an adversary that controls ballot collection. The vulnerability cannot be detected by earlier definitions of ballot secrecy, because they do not consider such adversaries. We adopt non-malleable ballots as a fix and prove that the fixed system satisfies ballot secrecy

Matters of Coercion-Resistance in Cryptographic Voting Schemes

This work addresses coercion-resistance in cryptographic voting schemes. It focuses on three particularly challenging cases: write-in candidates, internet elections and delegated voting. Furthermore, this work presents a taxonomy for analyzing and comparing a huge variety of voting schemes, and presents practical experiences with the voting scheme Bingo Voting